SUSE CVE-2026-42584

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103,...

CVE-2026-44248

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader method is called before the...

CVE-2026-42586

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder RedisEncoder writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF \r\n characters. Since the...

UBUNTU-CVE-2026-42585

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final...

CVE-2026-42577

Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some code paths, a 100...

UBUNTU-CVE-2026-42582

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoderdecodeHuffmanEncodedLiteral may execute new bytelength for a string literal before verifying that length byt...

CVE-2026-42585

Netty CVE-2026-42585 affects Netty prior to versions 4.2.13.Final and 4.1.133.Final, where improper parsing of malformed Transfer-Encoding can enable HTTP request smuggling. Public advisories and OSV entries confirm the issue and that fixes are available in 4.2.13.Final and 4.1.133.Final. Affecte...

CVE-2026-42582 Netty: HTTP/3 QPACK literal unbounded allocation

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoderdecodeHuffmanEncodedLiteral may execute new bytelength for a string literal before verifying that length byt...

CVE-2026-42579

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit t...

CVE-2026-42577 Netty: epoll transport denial of service via RST on half-closed TCP connection

Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some code paths, a 100...

CVE-2026-42577 Netty: epoll transport denial of service via RST on half-closed TCP connection

Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some code paths, a 100...

Improper Handling of Highly Compressed Data (Data Amplification)

Overview Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data Data Amplification in the HttpContentDecompressor and DelegatingDecompressorFrameListener components when the Content-Encoding header is set to br, zstd, or snappy. An attacker can exhaust...

UBUNTU-CVE-2025-11626

MONGO dissector infinite loop in Wireshark 4.4.0 to 4.4.9 and 4.2.0 to 4.2.13 allows denial of service...

openSUSE Security Advisory (SUSE-SU-2025:03294-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SUSE: Security Advisory (SUSE-SU-2025:03294-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

PT-2025-5520 · Unknown · Multivendorx Wc Marketplace

Name of the Vulnerable Software and Affected Versions: MultiVendorX WC Marketplace versions n/a through 4.2.13 Description: The issue is related to improper neutralization of input during web page generation, which leads to a Cross-site Scripting XSS vulnerability, specifically Stored XSS. This...

CVE-2025-0472 Information exposure vulnerability in PMB platform

Information exposure in the PMB platform affecting versions 4.2.13 and earlier. This vulnerability allows an attacker to upload a file to the environment and enumerate the internal files of a machine by looking at the request response...

PMB platform 代码问题漏洞

PMB platform is a free document management software from PMB Inc. A code issue vulnerability exists in PMB platform versions 4.0.10 through 4.2.13, which stems from the presence of an unrestricted file upload that could allow an attacker to upload a file in order to gain remote access to the...

WordPress XCloner Backup and Restore plugin <= 4.2.12 - Unprotected AJAX Action vulnerability

Unprotected AJAX Action vulnerability found by Chloe Chamberland in WordPress XCloner Backup and Restore plugin versions = 4.2.12. Solution Update the WordPress XCloner Backup and Restore plugin to the latest available version at least 4.2.13...

CVE-2010-3673

TYPO3 before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows information disclosure in the mail header of the HTML mailing API...